> Cloudflare CDN bypasses the cache for requests with Authorization headers (option #3) unless either the server explicitly declares the response as cacheable via Cache-Control, ...
This is true, but notably Cloudflare doesn't support the Vary header. So you can get cache leaks due to this standard break. If you receive an authenticated request and return `Cache-Control: max-age=60\r\nVary: Authorization` the resource will be leaked to unauthenticated requests. This also breaks basic auth as the unauthorized response will be cached so logging in won't work as you will get the same response even though you are now passing an Authorization header.
So basically it is only useful if you are "accidentally" sending an Authroization header for public resources. The only case I can think of this being useful is some sort of DOS prevention. (The original will only waste resources other than auth checking for unauthorized users)
This is true, but notably Cloudflare doesn't support the Vary header. So you can get cache leaks due to this standard break. If you receive an authenticated request and return `Cache-Control: max-age=60\r\nVary: Authorization` the resource will be leaked to unauthenticated requests. This also breaks basic auth as the unauthorized response will be cached so logging in won't work as you will get the same response even though you are now passing an Authorization header.
So basically it is only useful if you are "accidentally" sending an Authroization header for public resources. The only case I can think of this being useful is some sort of DOS prevention. (The original will only waste resources other than auth checking for unauthorized users)